<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<META name="generator" content="HTML Tidy for Linux/x86 (vers 12 April 2005), see www.w3.org">
<TITLE>SSL/TLS Certificates</TITLE>
<META name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79">
<LINK rel="HOME" title="Abyss Web Server For Windows User's Guide" href="index.html">
<LINK rel="UP" title="Server Management" href="server.html">
<LINK rel="PREVIOUS" title="General server configuration" href="servergeneral.html">
<LINK rel="NEXT" title="Hosts Management" href="hosts.html">
<LINK rel="STYLESHEET" type="text/css" href="stylesheet.css">
<META name="AppleIcon" content="icon.png">
<META name="AppleTitle" content="SSL/TLS Certificates">
<META name="Description" content="SSL/TLS Certificates">
<META name="AppleOrder" content="">
</HEAD>
<BODY class="SECT1" bgcolor="#FFFFFF" text="#000000">
<DIV class="NAVHEADER">
<TABLE summary="Header navigation table" width="100%" border="0" cellpadding="0" cellspacing="0">
<TR>
<TH colspan="3" align="center">Abyss Web Server For Windows User's Guide</TH>
</TR>
<TR>
<TD width="10%" align="left" valign="bottom"><A href="servergeneral.html" accesskey="P">Prev</A></TD>
<TD width="80%" align="center" valign="bottom">Chapter 4. Server Management</TD>
<TD width="10%" align="right" valign="bottom"><A href="hosts.html" accesskey="N">Next</A></TD>
</TR>
</TABLE>
<HR align="left" width="100%"></DIV>
<DIV class="SECT1">
<H1 class="SECT1"><A name="SSL" id="SSL">SSL/TLS Certificates</A></H1>
<P>Open the console and select <B class="GUILABEL">SSL/TLS Configuration</B> to display the SSL/TLS certificates management interface. With it, you can:</P>
<UL>
<LI>
<P>Create and manage private keys.</P>
</LI>
<LI>
<P>Create self-signed certificates.</P>
</LI>
<LI>
<P>Add certificates signed by certification authorities.</P>
</LI>
<LI>
<P>Generate certificate signing requests (CSR).</P>
</LI>
</UL>
<DIV class="SECT2">
<H2 class="SECT2"><A name="SSL-OVERVIEW" id="SSL-OVERVIEW">Overview</A></H2>
<P>SSL/TLS is a communication protocol which encrypts data exchanged between the server and the client. It is used to transfer HTTP requests and responses securely on the network in order to prevent spying or data sniffing.</P>
<P>To secure one of your hosts or the console with SSL, you first need to generate a private key. A private key should never be disclosed as it is used to cipher (i.e. encode) transferred data.</P>
<P>SSL/TLS requires also that the server makes its real identity available to the client by sending a certificate as soon as a connection is established between both of them. A certificate contains information about the certificate holder. If you intend to host a business site or a site where sensitive data is expected to be gathered or displayed, we strongly recommend that the certificate is signed by an independent certification authority which will check the holder information. A certificate that is not signed by a certification authority will work but the visitors' browsers will always display a warning message and invite them to confirm that they trust your self-signed certificate.</P>
<P>To sign a certificate by a certification authority, you have to create a CSR (Certificate Signing Request). A CSR is generated by choosing a private key and by entering your information. Once the CSR generated, you will have to send it to a certification authority which will do the necessary to check your information and to generate a signed certificate. Note that only the CSR has to be sent to the certification authority, the private key used to generate it should never be sent to them. When you receive the signed certificate, all you have to do is to enter it in Abyss Web Server console to start using it.</P>
</DIV>
<DIV class="SECT2">
<H2 class="SECT2"><A name="CERTIFICATES-PKEYS" id="CERTIFICATES-PKEYS">Generating a private key</A></H2>
<P>To create a new private key, press <B class="GUILABEL">Add</B> in the <B class="GUILABEL">Private Keys</B> table. In the displayed dialog, choose a distinctive name for the key and enter it in the <B class="GUILABEL">Name</B> field. Set <B class="GUILABEL">Action</B> to <B class="GUILABEL">Generate</B> and select the key type using the dropdown menu <B class="GUILABEL">Type</B>. When you press <B class="GUILABEL">OK</B>, the private key generation starts. It can take from a second to a minute depending on your computer speed and the type of the key you have chosen.</P>
</DIV>
<DIV class="SECT2">
<H2 class="SECT2"><A name="CERTIFICATES-PKEYS-IMPORT" id="CERTIFICATES-PKEYS-IMPORT">Importing a private key</A></H2>
<P>If you already have a private key and want to use it in Abyss Web Server, press <B class="GUILABEL">Add</B> in the <B class="GUILABEL">Private Keys</B> table. In the displayed dialog, choose a distinctive name for the key and enter it in the <B class="GUILABEL">Name</B> field. Set <B class="GUILABEL">Action</B> to <B class="GUILABEL">Import</B> and copy the private key text contents in the <B class="GUILABEL">Key Contents</B> text area. Note that a private key stored in a file using the PEM encoding can be opened with any text editor and its contents copied then pasted in <B class="GUILABEL">Key Contents</B> to import it.</P>
</DIV>
<DIV class="SECT2">
<H2 class="SECT2"><A name="CERTIFICATES-CSR" id="CERTIFICATES-CSR">Generating a CSR</A></H2>
<P>To obtain a certificate signed by a certification authority, press <B class="GUILABEL">Generate</B> in front of <B class="GUILABEL">Certificate Signing Request</B>. In the displayed dialog, choose a private key that the certificate will be based on. Next fill the listed fields with your information. Note that you must enter accurate information as most certification authorities will verify them before issuing the signed certificate. Press <B class="GUILABEL">OK</B> when you are done. The console will then display the CSR contents in a text area. Depending on your certification authority, you may have to send it, copy it in an online form, or put it in a text file and forward it to them. We strongly recommend that you check with your certification authority about the best way to provide them with the CSR.</P>
<DIV class="NOTE">
<BLOCKQUOTE class="NOTE">
<P><B>How to properly fill the Host name (Common Name) field?:</B> The <B class="GUILABEL">Host name (Common Name)</B> must be filled with the name of the host which will use the certificate. If the host name is <KBD class="USERINPUT">www.example.com</KBD>, that field should contain <KBD class="USERINPUT">www.example.com</KBD> and not only <KBD class="USERINPUT">example.com</KBD>.</P>
<P>Some certification authorities support wildcard certificates. In such a case, you can enter in that field <KBD class="USERINPUT">*.example.com</KBD> which will create a CSR for a certificate that will be valid for <KBD class="USERINPUT">www.example.com</KBD>, <KBD class="USERINPUT">test.example.com</KBD>, or <KBD class="USERINPUT">mail.example.com</KBD>. However that certificate will not be valid for <KBD class="USERINPUT">example.com</KBD> or <KBD class="USERINPUT">test.mail.example.com</KBD>.</P>
<P>Some certification authorities may also support certificates with more than one host name. To generate a CSR for such a certification authority, enter in the <B class="GUILABEL">Host name (Common Name)</B> all the host names separated with spaces. For example, if a certificate is to be associated with both <KBD class="USERINPUT">test.example.com</KBD> and <KBD class="USERINPUT">mail.example.com</KBD>, enter <KBD class="USERINPUT">test.example.com mail.example.com</KBD>.</P>
</BLOCKQUOTE>
</DIV>
<DIV class="NOTE">
<BLOCKQUOTE class="NOTE">
<P><B>About the "Server Type" question:</B> Some certification authorities will ask you about your server type. This information is mainly used for statistical purposes and makes no difference on the final signed certificate they will deliver. If you do not find Abyss Web Server on their list, select <B class="GUILABEL">Other Web Server</B> or <B class="GUILABEL">Other</B>. If no such choices are available, you can select <B class="GUILABEL">OpenSSL</B> or <B class="GUILABEL">OpenSSL-based server</B>. Again if no such choices are available, you can safely select <B class="GUILABEL">Apache</B> or <B class="GUILABEL">ModSSL</B> as our SSL/TLS implementation is based on OpenSSL which is also used by Apache and ModSSL.</P>
</BLOCKQUOTE>
</DIV>
</DIV>
<DIV class="SECT2">
<H2 class="SECT2"><A name="CERTIFICATES-CERTS" id="CERTIFICATES-CERTS">Adding a signed certificate</A></H2>
<P>To import a certificate signed by a certification authority into Abyss Web Server, press <B class="GUILABEL">Add</B> in the <B class="GUILABEL">Certificates</B> table. In the displayed dialog, choose a name for the new certificate and enter it in <B class="GUILABEL">Name</B>. Set <B class="GUILABEL">Private Key</B> to the private key that the certificate is based on: It is the same private key that you selected when generating the CSR associated with that certificate. Next set <B class="GUILABEL">Type</B> to <B class="GUILABEL">Signed by a Certification Authority (CA)</B>. Enter the main certificate in <B class="GUILABEL">Main Certificate</B>. If it was delivered in a file, open it with a text editor and copy its contents to <B class="GUILABEL">Main Certificate</B>.</P>
<P>If the certification authority provided you with additional certificates that are necessary to establish the trust chain, they must be entered in the <B class="GUILABEL">Intermediate Certificates</B>. If more than a single intermediate certificate is available, enter their contents one after the other in that field.</P>
<P>The last field <B class="GUILABEL">CA Root Certificate</B> must be filled with the CA (Certification Authority) or root certificate if available. Press <B class="GUILABEL">OK</B> to validate the new certificate.</P>
</DIV>
<DIV class="SECT2">
<H2 class="SECT2"><A name="CERTIFICATES-CERTS-SS" id="CERTIFICATES-CERTS-SS">Creating a self-signed certificate</A></H2>
<P>If your use of SSL is limited or if you do not mind having your visitors get a warning from their browser about your certificate each time they access your site, you can generate a self-signed certificate using the console.</P>
<P>To generate a self-signed certificate, press <B class="GUILABEL">Add</B> in the <B class="GUILABEL">Certificates</B> table. In the displayed dialog, choose a name for the new certificate and enter it in <B class="GUILABEL">Name</B>. Use <B class="GUILABEL">Private Key</B> to select the private key that the certificate will be based on. Next set <B class="GUILABEL">Type</B> to <B class="GUILABEL">Self-Signed Certificate</B>. Fill the information fields with your details. Finally press <B class="GUILABEL">OK</B> to create the certificate.</P>
<DIV class="NOTE">
<BLOCKQUOTE class="NOTE">
<P><B>Self-signed certificates security:</B> A site using a self-signed certificate offers the same security as a site using a certificate signed by a certification authority since the encryption is private key dependant only. But consider that self-signed certificates cannot be trusted by vistors who do not know you. So use them only for tests or for sites which access is limited and which vistors trust you (for example in an Intranet or for a family Web site).</P>
</BLOCKQUOTE>
</DIV>
</DIV>
</DIV>
<DIV class="NAVFOOTER">
<HR align="left" width="100%">
<TABLE summary="Footer navigation table" width="100%" border="0" cellpadding="0" cellspacing="0">
<TR>
<TD width="33%" align="left" valign="top"><A href="servergeneral.html" accesskey="P">Prev</A></TD>
<TD width="34%" align="center" valign="top"><A href="index.html" accesskey="H">Home</A></TD>
<TD width="33%" align="right" valign="top"><A href="hosts.html" accesskey="N">Next</A></TD>
</TR>
<TR>
<TD width="33%" align="left" valign="top">General server configuration</TD>
<TD width="34%" align="center" valign="top"><A href="server.html" accesskey="U">Up</A></TD>
<TD width="33%" align="right" valign="top">Hosts Management</TD>
</TR>
</TABLE>
</DIV>
<DIV class="COPYRIGHT">Copyright &copy; 2001-2009 Aprelium</DIV>
</BODY>
</HTML>
